How do I use a whole new query search for when one...

ARU152 · ‎05-17-2020

For the first dropdown Panel I use $Type$ as a token, and I am able to use the "All" option. However, I have a second dropdown panel in my Splunk dashboard with options as well as "All". But the result of All should be all the dropdown options in it added together since there are values. However, I cannot use the wildcard symbol because the other dropdown selections uses the stats latest function, so using the wild card "All" will only take the "latest" instead of adding all the other dropdown values. So I have a new query that I would like to use for this one dropdown option. How do I implement that new query search for only when "All" is selected? Do I have to add a change tag in the Splunk xml for that option?

This is the query I want for whenever one of the options is chosen:

host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit |eval is_match=case(match("'$Type$'", "(?i)linux"), "linux", match("'$Type$'", "(?i)windows"), "windows", match("'$Type$'", "(?i)all"), "") |eval case = lower(PatchActivityTitle) | eval prefix=case(match("'$server_prefix2$'", "(?i)prdtx"), "prdtx", match("'$server_prefix2$'","(?i)prdjc"), "prdjc", match("'$server_prefix$'", "(?i)prded"), "prded", match("'$server_prefix$'", "(?i)all"), "")| table server_prefix, PatchActivityTitle, BusinessUnit, "Already Patched", is_match, case, prefix | where LIKE(server_prefix, "%".prefix."%") and LIKE(case,"%".is_match."%")| replace "'*'" WITH "*" | xyseries PatchActivityTitle, BusinessUnit, "Already Patched" | fillnull value=0

This is the query I want to show when the "ALL" option is chosen from the dropdown:

host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit | eval is_match=case(match("'$PatchActivityType$'", "(?i)linux"), "linux", match("'$PatchActivityType$'", "(?i)windows"), "windows") | eval case = lower(PatchActivityTitle)  | stats sum("Already Patched") as "Patched" by PatchActivityTitle, BusinessUnit, is_match, case
|  table PatchActivityTitle, BusinessUnit, "Patched", is_match, case|  where LIKE(case, "%".is_match."%")
|  xyseries PatchActivityTitle, BusinessUnit, "Patched"| replace "'*'" WITH "*"| fillnull value=0

niketn · ‎06-23-2020

Write the <change> event handler for your dropdown input and build SPL as needed based on label value selected. PS: $label$ and $value$ are the default values for input change event handler. As you can see in the first condition block label can be used directly (other option is to use value directly as well), i.e. no need to use that as token. However while setting the token I have used $value$ instead of $Type$ as we are handling the same token which we need to use.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How do I use a whole new query search for when one of the dropdown options are selected in my Splunk dashboard? (without tokens)

form

panel

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms